Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM: Configuration practices and performances

Hi everyone,

I am working on a FWSM in a Cisco 7606 Router. I was looking through the current rules and was doing some housekeeping and realised that there were multiple occurances of "object-group network" and "object-group service".

From what i have understood so far, when configuring rules using the ASDM, if users do not select specific created object-group and manually typing them in, ASDM automatically creates them. For example;

Extract of configuration:

object-group network DM_INLINE_NETWORK_16

     network-object host 10.1.1.1

     network-object host 10.1.1.2

object-group network DM_INLINE_NETWORK_17

     network-object host 10.1.1.1

     network-object host 10.1.1.2

object-group network DM_INLINE_NETWORK_18

     network-object host 10.1.1.1

     network-object host 10.1.1.2

-END-

If i had done this:

object-group network TACACS_SERVER

     network-object host 10.1.1.1

     network-object host 10.1.1.2

-END-

The question is....

If i had created an object-group TACACS_SERVER and use this 1 instance of this in all my rules in the access_list, would it be better than letting ASDM create the DM_INLINE_NETWORK_16,17,18 object-groups?

Does it have any runtime performance drawback?

Which of this 2 practices is recommended?

Thank You.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

FWSM: Configuration practices and performances

I'd suggest to use just one obj grp. Like the one that you created.  The others are duplicate of each other which will only increase the config file size.  You will not see any performance issue due to this.

-Kureli

2 REPLIES
Cisco Employee

FWSM: Configuration practices and performances

I'd suggest to use just one obj grp. Like the one that you created.  The others are duplicate of each other which will only increase the config file size.  You will not see any performance issue due to this.

-Kureli

New Member

FWSM: Configuration practices and performances

Hi Kureli,

Thanks for your reply. I had the impression that by having multiple object-group would affect the performance of the FWSM. But anyway, i would simplify the object-group organization since it would be easier for human readability.

Thank You.

-leaving this post open for a while for further input from the community

-will close it in about a weeks time.

446
Views
0
Helpful
2
Replies
CreatePlease login to create content